Thousands of articles on cybersecurity point out that people play as much of a role in preventing data breaches as technology does. In fact, according to The 2018 Cost of a Data Breach Study by the Ponemon Institue, 27 percent of data breaches this year have been caused by human error. So clearly, it’s important to involve people in any type of defense strategy.
The tricky thing is that, as we’ve learned from the slow uptake of digital transformation, getting people to change is a challenge. It can’t be done by simply saying “be more careful” or “lock your computer.” Instead, to reduce the human-error risk, corporate leaders must look to significantly transform their business culture.
It isn't simply about one person doing a better job; rather, it's about a collective focus.
What is culture?
According to the dictionary, culture is “the set of shared attitudes, values, goals, and practices that characterizes an institution or organization.” It isn’t simply about one person doing a better job; rather, it’s about a collective focus. And, it isn’t simply about what we do either. It’s also about how we think about the things we do.
So, if we break down our effort to transform companywide participation in cybersecurity, we must examine each of these areas and start thinking about the role they play in creating a culture of safety.
Changing attitudes about cybersecurity
If we want to change attitudes about cybersecurity, we need to remove falsehoods and accentuate the true factual components of the risk.
One common falsehood is that “cybersecurity is IT’s job.” Too often, people hear cybersecurity and instantly think about email and the internet — and clearly that’s technology, so IT will fix it. This is one attitude that needs to shift. People need to understand how much of a role they play in protecting the organization.
Another concept that must shift is that “this could never happen to me.” That’s simply not true. An attack can happen to any person in any organization. People need to understand how these attacks work and need to start hearing the statistics about how common they are:
- 91% of the time, phishing emails are behind cyberattacks. Do people know what a phishing attack is?
- Criminals aren’t always seeking financial information. They are after many commonly used logins/account information. Do people guard all of their account information equally?
- Incidents of mobile malware are growing. They are up 54%. Do people even consider their cell phones and tablets to be a danger?
- There have been 22.41 million records exposed in the United States alone so far in 2018. Yes, this can happen to anyone.
Leadership in all lines of business must understand the importance of cybersecurity and must routinely encourage people to take appropriate actions.
Changing values related to cybersecurity
When we talk about values, we are talking about giving something worth. Giving it meaning and importance in the lives of those around us. So, if the “fear factor” isn’t enough to inspire action, how do we give cybersecurity value in the eyes of our employees?
Certainly, leading by example is key. Both in terms of talking-the-talk and providing budget for cyberdefense efforts, leadership in all lines of business must understand the importance of cybersecurity and must routinely encourage people to take appropriate actions. And, of course, they must do so themselves: you can’t tell others to change their passwords and then retain yours for 25 years because it’s easier that way.
Sometimes though, people need more before they place value on an idea. Think about a sport that you participate in and value. You brag about your accomplishments on the field. You celebrate successes with your team. You might encourage someone else to give it a try and support them in doing so.
The same is needed with cybersecurity initiatives. People must be regularly encouraged and reminded about how important their role is. They must be celebrated for putting the effort in: they need to be thanked when they raise a red flag, admit a mistake or follow policies.
Changing goals pertaining to cybersecurity
All goals take measurement to be successful, but how do you measure awareness and uptake around this issue? Remember that this is about shifting the culture, so you don’t want to use tried-and-true technical KPIs, like number of incidents or cost per incident.
Instead, think about how to measure employee involvement:
- Are people reading the information that you provide? What type of click rates do you get? Open rates?
- Are they agreeing to policies and procedures? How many turned in a signed copy of the policy? How many completed training?
- Are employees actually more aware of their role in cybersecurity? Perhaps survey them annually to find out what they know and don’t know.
- Is the IT department getting more requests to evaluate apps/programs? Or more reports of suspicious activity?
And, keep in mind that a cultural shift needs to be a collective effort, so don’t keep the numbers hidden. You may even want to celebrate the effort a bit: “Hey everyone, we were at 85% awareness last year. Let’s see if we can hit 92% this year! First person to turn in their survey gets a prize!”
Lock the screen on devices when you leave them unattended.
Changing practices that impact cybersecurity
And, of course, there are all of the practical components that are needed to get the work done. Practices are all of the tips and tricks that are used to combat data breaches:
- Background check new hires
- Implement training
- Embed a cybersecurity advocate in each team/group
- Implement automatic backups and/or provide backup devices
- Force password changes
- Auto-update software
- Use encryption
- Provide company-owned mobile devices
- Invest in a shredder or document destruction service
- Clean up out-of-date files
- Physically secure laptops and devices
- Lock the screen on devices when you leave them unattended
The overall point here is that it takes more than just a checklist of best practices to move the needle on creating a culture of cybersecurity awareness. It takes all components of culture working together and focused on change in order to protect your organization.